Skip to main content

Checkmarx SCA Release Notes April 2023


These release notes relate to the SCA standalone product. Users who consume SCA through Checkmarx One should refer to the Checkmarx One release notes to see which SCA features have been released in Checkmarx One.


We are in the process of rolling out a new comprehensive Management of Risks service which will replace the current service. The current APIs IgnoreVulnerability and UnignoreVulnerability will soon be deprecated. Please plan accordingly. For more info, feel free to contact your Technical Account Manager.

Global Inventory and Risks

We have revamped the system used for gathering data for the Global Inventory and Risks screen. We now use a dedicated service to process the data. This will greatly improve the performance of this feature, improving pagination, searchability and responsiveness.

The new service retains data for only one and a half years, so that packages and risks that haven't been detected by any recent scans aren't shown on this screen.


The data shown in Scan Results for specific projects is retained for a longer period of time.

Support for Unity Package Manager

We added support for Unity package manager.


Languages/Frameworks: Unity

Repository: Unity Technologies, Needle-mirror, Open UPM

File Types: none

Supported Package Managers

Exploitable Path

Supply Chain Security (SCS)

Manifest Files (Packages marked with (blue star) are required)




manifest.json(blue star), packages.json(blue star)

File Extraction

We now extract .jar compressed files, and scan the extracted files (in addition to existing support for .war, .ear and .zip). We have also increased the recursive extraction to 4 levels of depth.

SCA Resolver Releases

We released the following new versions of SCA Resolver:


The complete changelog, and links to download SCA Resolver are available here.

Version 2.1.5

  • Added support for Unity package manager. For more information, see Unity Package Manager Dependency Resolver.

  • For Bower, fixed issue that dependency resolution was failing when latest version ("*") was specified.

  • For Ivy, fixed issue that unused versions were being resolved despite the fact that a newer version had been specified in the manifest file.

  • ImageResolver updated to version 2.0.43.

Version 2.1.2

  • Added support for authentication via Master Access Control, see Master Access Control Authentication for Checkmarx SCA Resolver.

  • For Sbt, stack overflow is fixed when building the dependency tree.

  • For Gradle, when a submodule is duplicated in a project we now resolve the package only once.

  • ImageResolver was updated to version 2.0.41.